<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - A denial of service vulnerability in function findBaseDefiningValue(llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp) via an bitcode file which has been overrided the module target triple."
href="https://bugs.llvm.org/show_bug.cgi?id=42647">42647</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>A denial of service vulnerability in function findBaseDefiningValue(llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp) via an bitcode file which has been overrided the module target triple.
</td>
</tr>
<tr>
<th>Product</th>
<td>tools
</td>
</tr>
<tr>
<th>Version</th>
<td>8.0
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>opt
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>zhangxianbu@gmail.com
</td>
</tr>
<tr>
<th>CC</th>
<td>llvm-bugs@lists.llvm.org
</td>
</tr></table>
<p>
<div>
<pre>n llvm opt tools 8.0.0 and older version, an issue was discovered.The
findBaseDefiningValue function in
llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp allows attackers to
cause a denial of service(assertion failure and opt tool crashed) via an
bitcode file which has been overrided the module target triple.
The bitcode file which can cause denial of service has been in the attachment.
Reproduce steps:
# opt -mem2reg -rewrite-statepoints-for-gc -always-inline -o b0o_new.bc
b0_new.bc
Please check the rewrite-statepoints-for-gc feature in the opt tool.
If you have confirmed the vulnerability, should i submit this issue for CVE?
The details crashed logs as bellow:
opt:
/home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:525:
{anonymous}::BaseDefiningValueResult findBaseDefiningValue(llvm::Value*):
Assertion `cast<PointerType>(Def->getType())->getAddressSpace() ==
cast<PointerType>(CI->getType())->getAddressSpace() && "unsupported
addrspacecast"' failed.
Stack dump:
0. Program arguments: /usr/local/bin/opt -mem2reg
-rewrite-statepoints-for-gc -always-inline -o b0o_new.bc b02.bc
1. Running pass 'Make relocations explicit at statepoints' on module
'b02.bc'.
#0 0x00000000043152b1 llvm::sys::PrintStackTrace(llvm::raw_ostream&)
/home/wenzhuo/llvm-project/llvm/lib/Support/Unix/Signals.inc:494:0
#1 0x0000000004315344 PrintStackTraceSignalHandler(void*)
/home/wenzhuo/llvm-project/llvm/lib/Support/Unix/Signals.inc:558:0
#2 0x0000000004313352 llvm::sys::RunSignalHandlers()
/home/wenzhuo/llvm-project/llvm/lib/Support/Signals.cpp:68:0
#3 0x0000000004314d03 SignalHandler(int)
/home/wenzhuo/llvm-project/llvm/lib/Support/Unix/Signals.inc:357:0
#4 0x00007f553aaa1390 __restore_rt
(/lib/x86_64-linux-gnu/libpthread.so.0+0x11390)
#5 0x00007f55397b0428 raise
/build/glibc-LK5gWL/glibc-2.23/signal/../sysdeps/unix/sysv/linux/raise.c:54:0
#6 0x00007f55397b202a abort /build/glibc-LK5gWL/glibc-2.23/stdlib/abort.c:91:0
#7 0x00007f55397a8bd7 __assert_fail_base
/build/glibc-LK5gWL/glibc-2.23/assert/assert.c:92:0
#8 0x00007f55397a8c82 (/lib/x86_64-linux-gnu/libc.so.6+0x2dc82)
#9 0x0000000004224460 findBaseDefiningValue(llvm::Value*)
/home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:529:0
#10 0x00000000042247cb findBaseDefiningValueCached(llvm::Value*,
llvm::MapVector<llvm::Value*, llvm::Value*, llvm::DenseMap<llvm::Value*,
unsigned int, llvm::DenseMapInfo<llvm::Value*>,
llvm::detail::DenseMapPair<llvm::Value*, unsigned int> >,
std::vector<std::pair<llvm::Value*, llvm::Value*>,
std::allocator<std::pair<llvm::Value*, llvm::Value*> > > >&)
/home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:614:0
#11 0x000000000422491c findBaseOrBDV(llvm::Value*,
llvm::MapVector<llvm::Value*, llvm::Value*, llvm::DenseMap<llvm::Value*,
unsigned int, llvm::DenseMapInfo<llvm::Value*>,
llvm::detail::DenseMapPair<llvm::Value*, unsigned int> >,
std::vector<std::pair<llvm::Value*, llvm::Value*>,
std::allocator<std::pair<llvm::Value*, llvm::Value*> > > >&)
/home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:625:0
#12 0x0000000004225372 findBasePointer(llvm::Value*,
llvm::MapVector<llvm::Value*, llvm::Value*, llvm::DenseMap<llvm::Value*,
unsigned int, llvm::DenseMapInfo<llvm::Value*>,
llvm::detail::DenseMapPair<llvm::Value*, unsigned int> >,
std::vector<std::pair<llvm::Value*, llvm::Value*>,
std::allocator<std::pair<llvm::Value*, llvm::Value*> > >
<span class="quote">>&)::'lambda0'(llvm::Value*)::operator()(llvm::Value*) const</span >
/home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:815:0
#13 0x00000000042260d6 findBasePointer(llvm::Value*,
llvm::MapVector<llvm::Value*, llvm::Value*, llvm::DenseMap<llvm::Value*,
unsigned int, llvm::DenseMapInfo<llvm::Value*>,
llvm::detail::DenseMapPair<llvm::Value*, unsigned int> >,
std::vector<std::pair<llvm::Value*, llvm::Value*>,
std::allocator<std::pair<llvm::Value*, llvm::Value*> > > >&)
/home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:826:0
#14 0x0000000004227d04 findBasePointers(llvm::SetVector<llvm::Value*,
std::vector<llvm::Value*, std::allocator<llvm::Value*> >,
llvm::DenseSet<llvm::Value*, llvm::DenseMapInfo<llvm::Value*> > > const&,
llvm::MapVector<llvm::Value*, llvm::Value*, llvm::DenseMap<llvm::Value*,
unsigned int, llvm::DenseMapInfo<llvm::Value*>,
llvm::detail::DenseMapPair<llvm::Value*, unsigned int> >,
std::vector<std::pair<llvm::Value*, llvm::Value*>,
std::allocator<std::pair<llvm::Value*, llvm::Value*> > > >&,
llvm::DominatorTree*, llvm::MapVector<llvm::Value*, llvm::Value*,
llvm::DenseMap<llvm::Value*, unsigned int, llvm::DenseMapInfo<llvm::Value*>,
llvm::detail::DenseMapPair<llvm::Value*, unsigned int> >,
std::vector<std::pair<llvm::Value*, llvm::Value*>,
std::allocator<std::pair<llvm::Value*, llvm::Value*> > > >&)
/home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:1163:0
#15 0x0000000004227e57 findBasePointers(llvm::DominatorTree&,
llvm::MapVector<llvm::Value*, llvm::Value*, llvm::DenseMap<llvm::Value*,
unsigned int, llvm::DenseMapInfo<llvm::Value*>,
llvm::detail::DenseMapPair<llvm::Value*, unsigned int> >,
std::vector<std::pair<llvm::Value*, llvm::Value*>,
std::allocator<std::pair<llvm::Value*, llvm::Value*> > > >&, llvm::CallBase*,
(anonymous namespace)::PartiallyConstructedSafepointRecord&)
/home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:1181:0
#16 0x000000000422cdfb insertParsePoints(llvm::Function&, llvm::DominatorTree&,
llvm::TargetTransformInfo&, llvm::SmallVectorImpl<llvm::CallBase*>&)
/home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:2230:0
#17 0x000000000422e984
llvm::RewriteStatepointsForGC::runOnFunction(llvm::Function&,
llvm::DominatorTree&, llvm::TargetTransformInfo&, llvm::TargetLibraryInfo
const&)
/home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:2626:0
#18 0x00000000042237d7 (anonymous
namespace)::RewriteStatepointsForGCLegacyPass::runOnModule(llvm::Module&)
/home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:191:0
#19 0x0000000003a69eb7 (anonymous
namespace)::MPPassManager::runOnModule(llvm::Module&)
/home/wenzhuo/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1752:0
#20 0x0000000003a6a659 llvm::legacy::PassManagerImpl::run(llvm::Module&)
/home/wenzhuo/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1865:0
#21 0x0000000003a6a85f llvm::legacy::PassManager::run(llvm::Module&)
/home/wenzhuo/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1897:0
#22 0x0000000001bc91c0 main
/home/wenzhuo/llvm-project/llvm/tools/opt/opt.cpp:899:0
#23 0x00007f553979b830 __libc_start_main
/build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:325:0
#24 0x0000000001b8b1e9 _start (/usr/local/bin/opt+0x1b8b1e9)
Aborted (core dumped)</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>